Home away from home
Posted on December 2, 2007
Filed Under Networking, Unix, Windows
I don’t drive a flashy car, own a fancy house, or even watch a big screen TV — but boy, do I have nice computers. When I worked in a cubicle, it chafed me that the equipment I was supposed to use was quite a bit clunkier than what I was used to at home.
One of the many wonderful things about high-speed Internet is that I can get to my home setup from darn near anywhere. It’s easier with Linux or Mac, of course, but since PC laptops are a commodity, the ability to do it with Microsoft Windows is also a good tool to have in the kit.
Note: This is not about running a “server” on a home cable connection; at least, not in the sense of a public server. This is about making a private connection back to your home computer, for your own personal use.
What we’re going to set up is a sort of “poor man’s Virtual Private Network,” using a simple SSH tunnel.
Of course, you’ll need to know what the IP address of your home connection is. The easiest way to handle this is to hook up with dyndns.org. They have a large variety of domain names; when you sign up with them, you get to add your account name to one of those domains as a subdomain, which they will then point to your home IP address for free. They’ll show you how to find your IP address, and if it changes, you will run a little utility program to updates the dyndns.org information. It is well worth setting up in advance. Imagine you forgot the slides for the important presentation you’re due to give in fifteen minutes, and you could get it from your home PC easily if only you could log in from work!
So, you have a dyndns.org domain pointing to your home cable connection, and a cable router that is (I hope) blocking all access initiated by outside machines. You’ll need to configure your router to loosen up on just one port — port 22, the ssh port. You’ll also need to accept SSH connections on your Linux box, by installing the sshd daemon.
Your cable modem gets an Internet IP address from your service provider, probably through Dynamic Host Configuration Protocol or DHCP. If you’re like me, you have more than one machine in the house, and so you are sharing that connection through another little box, a Cable/DSL Router. The box your provider set up might also be a router, and it might even have WiFi capability, but it doesn’t matter if we treat the cable modem and router features separately. A router will have some sort of setup screen; usually you can get to it with a web browser. There is probably a password on it, but by default it’s something like “password” or blank. (Scary? That’s why you need to be hooked up with an Ethernet cable to get to this configuration page.)
Check your manual, and you’ll end up at a screen something like the one above. This is an interesting feature; you only have one Internet address, but you want to share it with multiple PCs. The router handles that with something called Network Address Translation or NAT. It’s a bit of bookkeeping, really; by using different “port numbers” to keep track of which local machine made a request, the router can figure out where the replies back from the Internet need to end up. If you want to think of it as magic, go ahead; usually “it just works.” (More about Networking and IP Addresses)
What matters to you is that you need for the PC that is going to accept connections from outside to have the same address consistently. The screen above shows one way to do that — you can teach the router to recognize a specific machine by its Media Access Control address, the serial number of its Ethernet card, and always give it the same IP address.
Once you’ve done that, it’s safe to tell the router that this PC — which is running Linux! — is willing to accept connections from the outside… but only on certain ports. In this case, the port you’re willing to let through is port 22, the SSH port. We’re assuming you have SSH set up properly with good passwords, and that you deny direct logins as the root user. If opening up this port to the whole world and every nasty-minded individual in it doesn’t make you a little nervous, you’re not paying enough attention. I repeat: 192.168.1.3 is not running Microsoft Windows.
A Windows laptop as a client, well, that’s a different story. First, install PuTTY. That’s just a matter of downloading the putty.exe file and adding a shortcut to it, wherever you save it. It does not need to be “installed,” per se. On Windows, I like having a “utility” directory, e.g. C:\Program Files\Utility
When you start PuTTY, its first window will ask you where to want to connect, and as whom. The syntax is user@hostname, as shown in the first screenshot (but replace “kevin@mumble.example.com” with your own username and domain).
It’s a little cryptic, but the “5999″ is the LOCAL port (on the Windows PC) and you spell out both the host and the remote port in the larger box, as shown. The example I’m giving you will work exactly as it appears.
Click “Add”.
Go back to Step 1 and give the session a name, then save it. Go back and forth between the items to confirm that the tunnel settings are still there in the saved session.Now click “Open” to make your ssh connection. It will prompt you for a password, because we haven’t set up “SSH key” certificates yet; that’s okay. It’s a secure connection.
Leave this connection running! If you close PuTTY, you also close the tunnel.
The example I’m setting up is not the only way to use an SSH tunnel. For instance, you could set up a pair of tunnels, then tell your email clent to use localhost as your email server. The trick is to specify the right “port numbers” for the services you want to use the tunnel. In the case of email, you would want tunnels for both IMAP and SMTP. To give you something a little more visual, though, we’re now going to tunnel your entire Linux desktop!
On the Linux box, you want to be running a VNC “server.” This makes a graphical desktop available to you remotely. There are various versions of VNC available, but they all start up pretty much the same way, with the command “vncserver :1″ (where :1 is a “screen number” — you can serve multiple sessions, each with its own number).
The first time you run vncserver, it will ask for a (new) VNC password — this should not be the same as your Linux password. The VNC password is only used to connect to VNC.
Now open up a VNC viewer. There are lots of them available; I like both TightVNC and UltraVNC. For the example, I’m using UltraVNC because that’s what is installed on my PC. Note that I’m specifying a port number, with two colons (”::5999″) — I could specify screen :99 but the port syntax makes it a little clearer. If your Windows VNC viewer only accepts screen numbers, use screen number “:99″. (We’re trying to pick a screen to associate with the “localhost” end of the tunnel that is not likely to be in use.)
Connect, and you’ll be prompted for the VNC password, then the VNC screen will come up. When you close the VNC window, the VNC process continues to run on the Linux box, so you can actually start something, close the window, go to ANOTHER computer, and pick up where you left off!
You may get a very bare looking desktop; if so, here is how to make VNC use KDE or Gnome. Edit the file ~/.vnc/xstartup and change the line “x-window-manager &” to “startkde &” or “gnome-session &” Kill the running vncserver with “vncserver -kill :1″ and restart it. If you reboot the Linux box, you will need to restart the VNC server process with the command “vncserver :1″ (where :1 is the display number).
The user who starts the VNC process is the user you will see when you connect — it doesn’t matter who makes the SSH connection. Of course, you can also enter the “vncserver” command from the PuTTY console, so you don’t have to leave VNC running all the time.
The first time someone runs vncserver, it will ask for a (new) VNC password — this should not be the same as his Linux password. The VNC password is only used to connect to VNC.
And yes, you can have multiple sessions active at the same time! Linux is inherently a multi-user system. The two screens won’t interfere with each other. (On Windows, VNC can only show the current logged-in user, so you would be “sharing” the screen if someone is using the PC.)
On the Mac, the easiest way to connect with a tunnel is just to type in this command in a Terminal window by rote:$ ssh -L 5999 username@localhost:5901 example.dyndns.orgThen use your Mac VNC viewer to connect to localhost:5999 as we did above. Port 5901 will connect to screen :1, so if you want to have a different screen, you should log on as the appropriate user and start VNC on a different screen number, and change the last two digits of “:5901″ to match that screen number.
As noted elsewhere, you can set up OpenSSH to use a “key” file so that you do not have to enter your password to log on. The lussh script automates sending that key file, but you can also set it by hand, which is what you’ll need to do if you want to use it with PuTTY. PuTTY comes with a program called PuTTYgen, which (like PuTTY itself) can be run from anywhere on your PC; for convenience, let’s use the same directory where PuTTY is installed.Run it, and you’ll be asked to put in some random noise by wiggling your mouse around.
When it has enough random numbers, a key will appear in the text box. Note that it says this key is for use with an “OpenSSH authorized_keys file” — and that’s exactly what we need. Copy the text from the text box.
You should ALSO save the Private key to your utility directory in its original form, for PuTTY’s use. It’s a good idea to export the public key, which won’t have a file extension, but you can give it a “.pub” so you’ll know what it is. You can reload it into PuTTYgen and re-export it for use with other SSH programs at a later date. The private key will end with the extension “.ppk” (If that reminds you of James Bond, that’s good, because your security depends on keeping this file secret. It stays on your PC.)
A security note: If you’re concerned that someone might make off with your laptop, you have the option to put a passphrase on the PuTTY private key file, and PuTTY will prompt you to unlock the file before it makes a connection. I know it sounds a little absurd to put a passphrase on something that’s supposed to take the place of a password, but this means you can have your cake and eat it too; you see, there is yet another program on the PuTTY website, called “pageant,” which unlocks your SSH private key upon request. The idea is you log on to pageant once, and that allows you to re-use your PuTTY login freely until you close pageant or shut down the PC.
You don’t HAVE to set up pageant. If you don’t specify a passphrase when you create the key in PuTTYgen, you’ll just see a little popup asking “Do you really want to save this key without a passphrase?” I’ll leave it up to you to decide how much security you need (and can cope with) on a day-to-day basis.
You will want to tell PuTTY to use your .ppk file when connecting to your Linux machines. You do that in the “Auth” area of PuTTY.
It will only work on machines where you have added the matching public key to your ~/.ssh/authorized_keys file (which means the file is located in the “.ssh” directory under your home directory). Let’s upload the public key to the Linux box.Log on to the Linux box and give it your password for the last time, and open your favorite editor.
$ vi .ssh/authorized_keys
One very nice thing about PuTTY — whatever you highlight is copied to the Windows clipboard, and a single right-click will then paste it! So, highlight the text in the PuTTYgen text box, and use Ctrl-C to copy it to the clipboard. Now go to your PuTTY window, set the cursor in the correct place, and just right-click once to paste the key. It should appear as a single, very long line.
Log out, re-open PuTTY, and this time it should log into your account without asking you to type your password (if it fails, giving your password is still an option).
You can also use this same key with the WinSCP secure copy utility. It’s a lot like FTP, but uses the security of SSH to protect both your password and the content of the file transfer.
Open up WinSCP and tell it to use the same .ppk file; it should also connect without requiring a password.
With just these three tools, you can do just about everything you could do sitting at your own desk. You can run terminal sessions, copy files to and from your desktop, and interact with applications that are installed on your home machine. It’s also possible to “bounce” off of the Linux SSH server to access a VNC server running on a Windows box at home; remember, Google is your friend.
Comments
Leave a Reply
You must be logged in to post a comment.